And I mentioned merging the two:
http > https
http > https
to
(both http) > https
And you said:
BAD BOY!
2 Likes
I've been digging here looking for a best practice citation:
2 Likes
Look at the redirect statements, Rudy. They don't go to the same place...
Hence why two VirtualHost blocks with two different ServerNames are necessary to avoid a rewrite (because Redirect statements can't have variables in them).
If we didn't care about keeping the hostname the same when redirecting from http to https then we could just have:
<VirtualHost *:80>
ServerName newkiddintown.com
ServerAlias www.newkiddintown.com
ServerAdmin webmaster@localhost
Redirect permanent "/" "https://www.newkiddintown.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
2 Likes
How is two HTTP redirections any more than secure than one?
and from your link:
Which says your two redirects are insecure! - lol
2 Likes
Honestly, I'm not sure. I've been digging for a specific citation for JuergenAuer's comment, but I can't find a specific reason. I do know that his tool checks for this though.
As for the STS header after secure connection, it is to inform the user's browser that any further connections (or links) to that apex domain name (and its subdomain names) should ONLY be attempted over https, an automatic upgrade if you will.
How is http -> httpS -> httpS insecure? It's standard practice on millions of websites the world over.
2 Likes
It specifically came up when I checked my own sites with his tool because I DIDN'T follow this rule (because I wanted a faster load time by having one less redirect).
2 Likes
I agree. Hence the HSTS preload list causes browsers using the list to always default to https connections for any domain name on the list.
2 Likes
Can we add *.* to the HSTS list of sites?
2 Likes
You misread/misunderstood me.
I said it says your two redirects are insecure.
You heard double redirects.
1 redirection: http://site.com > https://site.com [they say it is insecure]
2 redirection: http://www.site.com > https://www.site.com [they say it is insecure]
2 redirections in two server blocks.
I say do them as 1 redirection in one server block.
(http://site.com or http://www.site.com) > https://site.com
2 Likes
Or just detonate port 80?
2 Likes
Have you seen my IMAGE?
It says in not so many words:
Just SAY NO to HTTP!
Good riddance.
It's the dang browsers that won't let go.
FTP got secured.
Telnet got secured.
HTTP (work in progress)
2 Likes
You do know that virtually EVERY website we help with here has http -> https -> https ...
2 Likes
Might want to see this:
2 Likes
This is the AUTHORITARIAN source for HSTS:
2 Likes
Curious... WTF!?
http://google.com
301 Moved Permanently
http://www.google.com/
200 OK
2 Likes
But it also has http -> https
LET:
A = (http://site.com)
B = (https://site.com)
C = (http://www.site.com)
D = (https://www.site.com)
A > B
C > D
Then 1 of:
B > D
or
D > B
If we choose the first (B > D) to illustrate a full example, then:
A > B > D
C > D
So it does both!
I say cut out the B step (from A):
A > D
B > D [this it does now]
C > D [this it does now]
Why not?
2 Likes
Here's why...
http://wikipedia.org
301 TLS Redirect
https://wikipedia.org/
301 Moved Permanently
https://www.wikipedia.org/
200 OK
I have NEVER seen any 301 labeled as a TLS redirect before. I just looked at the headers. Wikipedia specifically labeled that for HSTS.
2 Likes
Don't get hung-up on the labels - it's just text fluff (could be in a language you can't read...sansckrit).
The key is "301"
2 Likes
It was a deliberate design decision for HSTS.
Just like this one...
http://www.wikipedia.org
301 TLS Redirect
https://www.wikipedia.org/
200 OK
2 Likes